《Fortinet：2023上半年全球威胁态势研究报告（英文版）（15页）.pdf》由会员分享，可在线阅读，更多相关《Fortinet：2023上半年全球威胁态势研究报告（英文版）（15页）.pdf（15页珍藏版）》请在三个皮匠报告上搜索。

1、Global Threat Landscape Report A Semiannual Report by FortiGuard LabsAugust 2023Table of ContentsExecutive Summary .31H 2023 at a Glance.3Lets Rewind:Five-Year Threat Trends .5Penetrating the Red Zone .6From Exploit Prediction to Outbreak.8Global ATT&CK Heatmap .9Technique Insights from Endpoint Tel

2、emetry.11Protecting Your Enterprise from Evolving Threats.12Conclusion and Final Outlook .142Executive SummaryThe threat landscape and organizations attack surfaces are constantly transforming.And the ability of cybercriminals to quickly design and adapt their techniques to exploit this evolving env

3、ironment continues to pose significant risks to businesses of all sizes,regardless of industry or geography.As we examine activity in the first half of 2023,we see cybercrime organizations and nation-state cyber-offensive groups swiftly adopting new technologies.Notably,some of these actors operate

4、much like traditional enterprises,complete with well-defined responsibilities,deliverables,and objectives.This organizational structure,combined with deep pockets resulting from past exploits or nation-state sponsors,facilitates their offensive stance,allowing them to experiment with and incorporate

5、 game-changing technologies,such as new generative AI,that make their attacks more complex and harder to detect.A significant uptick in the sophistication of malicious actors is especially evident in the cybersecurity domain,where threats have escalated in frequency and complexity.This is characteri

6、zed by a rise in highly targeted attacks across various sectors,including intricate ransomware campaigns,substantial data breaches,and a notable shift in MITRE ATT&CK tactics,as observed through our global,AI-enhanced detection capabilities.1H 2023 at a Glance Activity was detected for 41 of 138(30%

7、)APT groups identified by MITRE.These attacks are more focused and planned and also occur in quick“waves,”so seeing a third of all categorized APT groups being active is concerning.APT GroupsInto the Red ZoneRansomwareTime-to-ExploitationICS and OT AttacksATT&CK SightingsThe percent of all endpoint

8、vulnerabilities targeted by attackers remained relatively steady(around 8%)in 1H 2023 compared to the previous period.The ransomware rollercoaster continued,ending 1H 2023 13x higher than it began.Fewer organizations are successfully detecting ransomware than in the past(13%versus 22%),reaffirming t

9、hat ransomware is also becoming more sophisticated and targeted.Our analysis shows that the top most exploitable vulnerabilities,as identified by EPSS,are 327 times more likely to be attacked within a week than others on your radar.Attacks targeting industrial control systems(ICS)and operational tec

10、hnologies(OT)didnt occur at high volume but trended up over the first half of 2023.Half of organizations saw ICS or OT exploits,with energy and utilities ranking among the top targets.Using our detection technologies,we observed activity for two-thirds of all known MITRE ATT&CK techniques over the f

11、irst half of 2023.327x-0.6%since last halfATT&CK Sightings8.3%91.7%33.3%66.7%Jan0.30%Feb0.72%Mar2.3%Apr4.0%May4.8%Jun3.7%12.6x increase0%2%4%6%of all malware detections31H 2023 Global Threat Landscape ReportREPORTIn 1H 2023,we observed significant activity among advanced persistent threat(APT)groups

12、,a rise in ransomware frequency and complexity,increased botnet activity,a shift in MITRE ATT&CK techniques used by attackers,and more.However,despite the changing threat landscape,its not all bad news for defenders.In this report,well also look closely at vulnerabilities and offer advice on priorit

13、izing your patching and remediation efforts.And because so much of the threat landscape activity were seeing is familiar,there are plenty of opportunities to implement strategies to effectively defend against bad actors.Lastly,well cover numerous actionable steps you can take today,such as leveragin

14、g threat intelligence to better safeguard your organization.A third of all categorized APT groups were active in 1H 2023Its worth taking a moment to spotlight the threat actors behind these trends were analyzing.As part of their efforts to support the ATT&CK framework,MITRE tracks 138 cyberthreat gr

15、oups.1 Monitoring the collective activity of these groups is an essential component of mapping and analyzing the threat landscape.From January through June 2023,we observed activity attributed to 41 of these groups(30%).Of those,Turla,StrongPity,Winnti,OceanLotus,and WildNeutron were the most active

16、 based on malware genetic code analysis.Turla is possibly one of the most-proficient threat groups in existence.They have operated under numerous aliases(Snake,Venomous Bear,and Blur Python,to name a few)for nearly two decades.Turla has been linked to more than 45 high-profile attacks,impacting gove

17、rnment agencies,media,energy sector organizations,and embassies worldwide.Theyve had success in breaching organizations and flying under the radar for years,even in highly monitored environments,and given the escalation of the Russian-Ukrainian conflict,we were not surprised to see increased activit

18、y from this particular group.However,theres some good news:Over the past six months,APT group activity impacted only a small subset of all organizations,indicating that APT activity is still highly targeted,at least for the time being.This makes sense as they wont waste their cyber weapons on sprayi

19、ng attacks.The ransomware rollercoaster continuesWhile ransomware has existed for decades,in recent years,weve witnessed threat actors using more-sophisticated and complex strains to infiltrate networks,largely thanks to the rise of Ransomware-as-a-Service(RaaS)operations.2 And as ransomware activit

20、y remains rampant,business leaders around the globe are becoming more concerned about this threat.In a recent survey conducted by Fortinet,of the 78%of leaders who claimed their enterprises were prepared for an attack,half still fell victim to them.3 Ransomware shows no signs of slowing,with ransomw

21、are activity ending 13 times higher than at the start of 2023 as a proportion of all malware detections.Nearly a quarter(22%)of firms detected ransomware activity on their respective networks five years ago.Thats now down to 13%as we examine the first half of 2023.Unfortunately,this apparent decreas

22、e in activity doesnt indicate that ransomware activity is subsiding.Instead,its a sign that ransomware distribution has become more concentrated as ransomware gangs advance their business models by carrying out more targeted attacks using quickly adaptable and sophisticated playbooks.The following i

23、mage shows information on the most-prevalent malware families observed via our telemetry in the first half of 2023.It shares the top families for each category across cryptominers,infostealers,ransomware,and Remote Access Trojans(RATs).41H 2023 Global Threat Landscape ReportREPORTWipers are waning f

24、or nowOne category of ransomware not listed above is wiper malware.4 Wipers are aptly named because this destructive attack technique“wipes”data off infected systems.We observed a surge in wiper use in early 2022,mainly in conjunction with the Russian-Ukrainian conflict.5 And while that increase per

25、sisted through the rest of the year,it slowed over the first half of 2023.While weve often observed wipers being used primarily by nation-state actors during times of war,weve also seen cybercriminals use this type of malware to target organizations in specific sectors,including technology,manufactu

26、ring,government,telecommunications,and healthcare.Lets Rewind:Five-Year Threat TrendsAs security practitioners,many of us tend to assume that everything always gets worse when it comes to cybersecurity.But is that assumption fact or fiction?Its important to take a step back occasionally to examine l

27、onger-term trends,which can give us needed perspective on the current state of the threat landscape.Lets rewind and look at five-year trends regarding exploits,malware,and botnets.Figure 1:Top malware families by typeXMRig MinerCryptominerInfoStealerRansomwareRATCoinMinerTofseeMoneroPurple FoxPhotoM

28、inerLemonDuckMyKingsIntelRapidH2MinerFormbookLokiRedLine stealerGluptebaAmadeySmokeLoaderAVE_MARIAKRBankerSnake KeyloggerDridexContiLockbitSTOP RansomwareDarkSideTargetCompany RansomwareGandCrabBlackMatter RansomwareTeslaCryptSodinokibiMiraCuba RansomwareAgent TeslaEmotetREMCOSAVE_MARIANetWire RATNa

29、noCoreRATPhorpiexCobalt StrikeAutoKMSNeshtaOceanLotusIndexsinas51H 2023 Global Threat Landscape ReportREPORTExploit variants on the riseThe count of unique exploit detections is up 68%over the past five years.This indicates that we have more ways to detect malicious attacks today than we have previo

30、usly.Additionally,it demonstrates that attackers are multiplying and diversifying their exploits.But at the same time,we observed a 75%drop in exploitation attempts per organization and a 10%dip in severe exploits.While this drop in exploitation attempts may initially sound promising,it is another i

31、ndication that attackers are carrying out more targeted attacks.Cyber weapons can also become weary if used too often,as detection capabilities will eventually pick up,rendering the payload useless over time.Exploits10,042 unique exploit detectionsn+68%over last 5 years54 exploit detections per orga

32、nization n-75%over last 5 years69%of organizations saw severe attacksn-10%over last 5 yearsIncreased malware activity driven by organized cybercrimeMalware families and variants have exploded over the past five years,up 135%and 175%,respectively.Arguably more noteworthy is that the number of malware

33、 families that have infiltrated at least 10%of global organizations(a critical prevalence threshold)has doubled.Thats undoubtedly the result of an increasing number of cybercriminal and nation-state groups,as well as the expansion of operations of those that are currently active.As these adversaries

34、 become increasingly selective,precise,and destructive,they represent a progressively escalating threat,necessitating an unending battle against them.Leveraging the most recent and significant technological advancements from the past few years,these foes have rapidly evolved to become more capable,v

35、ersatile,and covert.Botnets become more persistentMost modern malware families have established botnets for command and control(C2)communications.Given the growth in malware families and variants,it makes sense that botnet activity would increase as well.Today,there are more active botnets(+27%)and

36、a higher incidence rate of botnet infection among organizations(+126%).The real kicker for botnet trends observed in the 1H 2023,though,is the significant increase in the total number of“active days”the time measured between when botnet activity was first detected by sensors and when the botnet ceas

37、ed C2 communications.Over the last six months,that averaged 83 of 183 days(the last day we measured),nearly half the period.This represents a more than 1,000-fold increase from measurements taken at the beginning of 2018,indicating that botnets have become more persistent over the past five years.Th

38、e overall increase in the availability of vulnerabilities and exploits to incorporate into the“botnet weapons belt”makes this a concern,as they are quick to adapt and increase the range of devices they can automatically breach and control.Penetrating the Red ZoneWe introduced the“Red Zone”in our 2H

39、2022 Global Threat Landscape Report to better understand how likely(or unlikely)it is that threat actors will exploit a specific vulnerability.6 While several factors influence the relationship between Common Vulnerabilities and Exposures(CVEs)on endpoints and CVEs targeted by attackers,such as vuln

40、erability management practices among organizations or developments in adversary tooling,this provides a valuable snapshot of the state of the attack surface that security leaders can use to prioritize their patching efforts.In the second half of 2022,the red zone hovered around 9%,meaning that about

41、 1,500 CVEs,out of more than 16,500 we observed,were under attack.But for the first half of 2023,this proportion of CVEs under attack dropped to 8.3%.Interestingly,about the same number of CVEs appeared in attacks,while the share of CVEs observed on endpoints grew.While this doesnt necessarily indic

42、ate that organizations are gaining ground in the fight against new vulnerabilities,at least the percentage of vulnerabilities under attack appears to be slightly lower than in the past.61H 2023 Global Threat Landscape ReportREPORTWe also know that the share of vulnerabilities under attack can vary w

43、idely by platform,as much as 11%,as shown below.Another noteworthy distinction among platforms is the share of all CVEs that appeared on endpoints,shown in yellow.Consider Microsoft and Adobe,where over half of the related vulnerabilities were observed,compared to 12%for Apple platforms or 20%for Li

44、nux.Its worth noting that these charts normalize all platforms.For example,one square for Adobe represents a different absolute number of vulnerabilities from Linux.Whats clear is that organizations continue to struggle with closing vulnerabilities as quickly as theyre released,and cybercriminals ar

45、e quick to exploit that reality.So,its vital to have a sound strategy when prioritizing which vulnerabilities to patch and to protect systems in the interim,deploy methods such as virtual patching until patches can be deployed.While each platform should be considered during that prioritization proce

46、ss,that only scratches the surface in anticipating which open vulnerabilities will likely be targeted by attackers in the near future.Figure 3:CVEs for multiple platforms by presence on endpoints and among attacksLinux(5.2%)Oracle(3.5%)Google(2.6%)Adobe(13.6%)Microsoft(12.5%)Apple(6.8%)Unseen on end

47、pointsSeen on endpointsSeen&attackedUnseen on endpointsSeen on endpointsSeen and attackedAdobe(13.5%)Linux(5.2%)Microsoft(12.4%)Oracle(3.5%)Apple(6.8%)Google(2.6%)Figure 2:All CVEs by presence on endpoints and among attacksAbout 0.7%of all CVEs observed on endpoints and under attack.Unobserved on en

48、dpointsObserved on endpointsObserved and under attack71H 2023 Global Threat Landscape ReportREPORTThe good news is that defenders already have something more powerful at their disposal,the Exploit Prediction Scoring System(EPSS),covered in the next section.7From Exploit Prediction to OutbreakSince i

49、ts inception,Fortinet has been a core contributor to exploitation activity data in support of the EPSS.The Exploit Prediction Scoring System leverages numerous data sources to predict the likelihood that a vulnerability will be exploited in the wild.The Exploit Prediction Scoring System is led by a

50、special interest group at FIRST.org,where Fortinet is a member company.Vulnerability management teams use EPSS to help prioritize their remediation efforts.But EPSS can also support intelligence efforts to track the progression of vulnerabilities from initial disclosure to the outbreak of an exploit

51、ation in the wild.Its that use case we want to explore here.If EPSS data is incorporated into your threat intelligence process,it can be used effectively as an early warning system.Lets look at an example.On May 31,an SQL injection vulnerability was announced in the MOVEit Transfer web application t

52、hat could allow an unauthenticated attacker to change or delete elements in the database engine used.8 The cybersecurity community quickly recognized this vulnerability as one to watch,and FortiGuard Labs released a Threat Signal to spread awareness and an IPS signature to monitor for exploitation a

53、ctivity.9 Once the CVE was published,EPSS was able to predict a very high chance of exploitation in the next 30 days.Spoiler alert:It didnt take that long.Our sensors recorded attacker attempts to exploit the MOVEit vulnerability on June 5,just five days after the vulnerability was first identified,

54、and we released a signature that same day.In this case,EPSS provided independent validation of what our analysts anticipated and helped us stay ahead of this emerging threat during its fast ramp-up period.The MOVEit example prompts an interesting line of questions.How long does it typically take for

55、 a vulnerability to move from initial release to exploitation in the wild?Do CVEs with a high EPSS score get exploited faster than those with lower scores?If so,can we predict the mean time-to-exploitation for any given vulnerability using EPSS?Lets see if we can answer those questions.To do that,we

56、 analyzed six years of data spanning more than 11,000 published vulnerabilities for which our sensors detected exploitation.For each CVE,we determined the time from publication to the first observation of exploitation and the corresponding EPSS score.The resulting analysis is captured in the chart b

57、elow:Jun 2:CVE PublishedFortiGuard Labs released a Threat SignalCISA adds CVE to KEVJun 3:EPSS scores 87%ofCVEs lower than this oneJun 13:Exploit on GithubNVD added detailsJun 14:Added into IntrigueEPSS scores 97.8%of CVEslower than this oneJun 21:Added into NucleiNVD added detailsJun 23:Metasploit

58、module publishedFortinet Outbreak AlertExploitation in the wild observed0%10%20%30%40%50%60%70%80%90%100%June 5June 12June 19June 26EPSS Percentile RankCVE-2023-34362(MOVEit)Figure 4:Evolution of EPSS and exploitation for the MOVEit vulnerability100%June 5June 12June 19June 2670%40%10%80%50%20%90%60

59、%30%0%81H 2023 Global Threat Landscape ReportREPORTIn short,we learned that EPSS matters when predicting which vulnerabilities might be exploited and how quickly that exploitation will occur.Within seven days of publication,22%of vulnerabilities with the highest EPSS scores(top 1%)saw exploitation a

60、ctivity,compared to just 0.07%of those in the bottom half of EPSS scores.After a full year,85%of the highest-Figure 5:Exploitation rate of vulnerabilities with different EPSS scores22.3%85.3%EPSS:Top 1%A CVE that EPSS scores in the top 1%warrants your immediate attention because its over 300 times m

61、ore likely to be exploited within a week than the majority of other vulnerabilities on your radarEPSS:Top 1%EPSS:Bottom 50%EPSS:Bottom 50%Within one week of CVE publishedWithin one year of CVE published.and that gap significantly widens over the first year0.1%0.1%ranking EPSS CVEs recorded exploitat

62、ion,while the lower half remained largely ignored by attackers.That means that a CVE that EPSS scores in the top 1%warrants your immediate attention because its over 300 times more likely to be exploited within a week than most other vulnerabilities on your radar.If you arent doing so already,pull t

63、hose EPSS scores daily and prioritize your patching efforts accordingly.10Global ATT&CK Heatmap After approximately six months of continual data processing leveraging our global network of over 10 million sensors,we compiled a list of the most commonly observed hashes in the wild.Our state-of-the-ar

64、t sensors employ machine learning(ML)techniques to transform raw data into an enriched dataset that examines network traffic for potential threats.We then use our portfolio of Fortinet products and solutions to analyze detected malicious payloads,observing and identifying subtle behavior indicative

65、of their underlying intent.The insights generated through this process are crucial for cybersecurity defenders worldwide,enabling laser-focused red team engagements and effective threat hunting activities.MITRE offers us a better understanding of the operations of threat actors.Both easy-to-follow a

66、nd actionable,ATT&CK enables defenders to categorize threat actor behaviors in a manner that is both systematic and repeatable,ultimately helping security teams to better identify potential attacks and accurately assess organizational risk.Please note that this report represents only“a piece of the

67、pie.”Different security solutions have their own unique capabilities and roles when it comes to detecting specific techniques.This analysis is based on data from FortiSandbox sandboxing and FortiEDR endpoint detection and response solutions.Lets examine data first.These techniques can best be interp

68、reted as attack capability.91H 2023 Global Threat Landscape ReportREPORTAs you can see,detections gleaned from data provide thorough visibility across the ATT&CK framework.The columns above highlight the top 10 most-detected techniques for each tactic.Subtechniques listed in each category column hav

69、e been rolled up to their parent technique for the sake of the visual.Lets explore how these techniques have been deployed over the past six months and discuss ways to counter them.In the Initial Access phase,the most-prevalent technique observed is replication via removable media.11 While its not t

70、he number-one entry point into corporate networks,the majority of malicious payloads we analyzed could spread via this method.This technique saw an uptick in usage when it was picked up by Raspberry Robin,which we covered in our previous report.12 Since then,Microsoft has uncovered numerous other us

71、es of this worm,with Raspberry Robin growing into one of the largest malware distribution platforms.From the FortiGuard Labs perspective,this worm has spread so widely mainly because of its simple tactic of masquerading a .LNK file as a folder,which most individuals are likely to open.This malware f

72、amily has been named by the Cybersecurity and Infrastructure Security Agency(CISA)as one of the most active droppers in existence,being used to deliver IcedID,TrueBot,and Bumblebee malware.13In the Execution phase,we noted a surge in Exploitation for User Execution.14 This trend implies that attacks

73、 are decreasingly dependent on users inadvertently triggering a payload or enabling macros.An example is a specific vulnerability exploited in Microsoft Word,like the increasingly prevalent Follina vulnerability(CVE-2022-30190)detailed in several of our recent blog posts.15 We also observed this tre

74、nd in threats stopped by FortiEDR.Many are now less reliant on user interaction to achieve code execution.One way to safeguard your organization from this technique is to shrink your attack surface by regularly patching vulnerabilities.ReplicationThroughRemovableMedia:60%Phishing:28%Drive-byCompromi

75、se:5%ExploitPublic-FacingApplication:4%ExternalRemoteServices:2%ValidAccounts:1%Exploitationfor ClientExecution:24%WMI:22%Command&ScriptingInterpreter:19%SharedModules:13%ScheduledTask/Job:10%Native API:6%SystemServices:5%Inter-ProcessComm.:0.5%UserExecution:0.06%SoftwareDeploymentTools:0.005%Hijack

76、ExecutionFlow:30%Boot/LogonAutostartExecution:20%Create/ModifySystemProcess:19%ScheduledTask/Job:18%OfficeApplicationStartup:11%EventTriggeredExecution:0.3%BrowserExtensions:0.3%Pre-OS Boot:0.2%Boot/LogonInitializationScripts:0.09%CreateAccount:0.03%ProcessInjection:34%HijackExecutionFlow:21%Boot/Lo

77、gonAutostartExecution:14%Create/ModifySystemProcess:13%ScheduledTask/Job:13%Access TokenManipulation:4%EventTriggeredExecution:0.3%AbuseElevationControlMechanism:0.07%Boot/LogonInitializationScripts:0.07%ValidAccounts:0.02%ObfuscatedFiles/Info:19%Masquerading:15%Virtualiz./SandboxEvasion:15%ImpairDe

78、fenses:13%ProcessInjection:9%IndicatorRemoval onHost:7%HijackExecutionFlow:6%HideArtifacts:4%Deobfuscate/DecodeFiles/Info:3%ModifyRegistry:3%OS CredentialDumping:42%InputCapture:40%UnsecuredCredentials:17%Credentialsfrom PasswordStores:0.6%Steal WebSessionCookie:0.1%NetworkSniffing:0.09%Adversary in

79、the Middle:0.01%Forge WebCredentials:0.007%ModifyAuthenticationProcess:0.0006%Brute Force:0.0003%System InfoDiscovery:21%File&DirectoryDiscovery:15%SoftwareDiscovery:13%Virtualiz./SandboxEvasion:11%ProcessDiscovery:9%Remote SystemDiscovery:8%QueryRegistry:7%SystemNetworkConfigurationDiscovery:6%Appl

80、icationWindowDiscovery:5%SystemOwner/UserDiscovery:1%ReplicationThroughRemovableMedia:63%Taint SharedContent:25%RemoteServices:4%Use AlternateAuthenticationMaterial:4%Lateral ToolTransfer:2%Exploitationof RemoteServices:1%SoftwareDeploymentTools:1%Data fromLocal System:29%InputCapture:23%EmailCollec

81、tion:21%AutomatedCollection:15%ArchiveCollectedData:4%ClipboardData:3%BrowserSessionHijacking:3%ScreenCapture:0.7%VideoCapture:0.4%Datafrom InfoRepositories:0.3%ApplicationLayerProtocol:40%Non-ApplicationLayerProtocol:22%Ingress ToolTransfer:19%EncryptedChannel:12%Non-StandardPort:4%Proxy:2%Web Serv

82、ice:0.7%Remote AccessSoftware:0.07%DataObfuscation:0.02%DataEncoding:0.02%ExfiltrationOverAlternativeProtocol:100%AutomatedExfiltration:0.02%SystemShutdown/Reboot:56%DataManipulation:30%DataEncrypted forImpact:5%InhibitSystemRecovery:3%Service Stop:3%EndpointDenial ofService:1%ResourceHijacking:0.7%

83、DataDestruction:0.7%Defacement:0.08%AccountAccessRemoval:0.05%InitialAccessExecution PersistencePrivilegeEscalationDefenseEvasionCredentialAccessDiscoveryLateralMovementCollectionCommandandControlExfiltrationImpactFigure 6:ATT&CK techniques in cloud data by tacticInitial AccessExecutionPersistencePr

84、ivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact101H 2023 Global Threat Landscape ReportREPORTFor the Persistence phase,we continue to see high instances of DLL Sideloading(under Hijack Execution Flow).16 The 3CX attack employ

85、ed this technique to achieve both Defense Evasion and Persistence,which we analyzed in this recent blog post.17 This technique is particularly troublesome because it enables attackers to sidestep protective measures like application control and other limitations on software execution.To protect your

86、 organizations network from this technique,ensure that software isnt vulnerable to DLL Sideloading in the first place,as there is not much you can do otherwise to avoid running unintended code.While malicious payloads within the network will get flagged eventually,that will only occur after theyve b

87、een loaded into memory.The top three techniques under Defense Evasion are no great surprise:Obfuscated Files and Information,Masquerading,and Virtualization/Sandbox Evasion.18,19,20 Even unique pieces of malware demonstrate various forms of obfuscation,from API calls to strings in memory.Given the w

88、idespread implementation of sandbox solutions on-premises and as Software-as-a-Service(SaaS)offerings,mastering these techniques has become essential for any threat actor.OS Credential Dumping and Input Capture lead the pack under Credential Access.21,22 Since its release,we have observed multiple t

89、hreat actors leveraging Mimikatz for related functionality.Furthermore,its integration into various post-exploitation frameworks,such as Cobalt Strike,Metasploit,and Sliver(and its ability to use Reflective Loading T1620 via PowerShell)make it a helpful tool,even among fileless attacks.The Discovery

90、 and Lateral Movement phases exhibit a symbiotic relationship;increased asset discovery leads to heightened lateral movement within compromised environments.One of the most effective defense strategies against this is ensuring proper visibility and control over network traffic,as a wide variety of t

91、echniques occur during these phases and can be detected with appropriate controls.From Collection to Impact,little has changed.Adversaries use the same techniques to collect and aggregate sensitive data,then exfiltrate over a protocol different from the command and control channel.About 22%of attack

92、s use connectionless protocols,such as UDP or ICMP,to communicate with their C2 servers.While its an unusual choice due to the increased complexity of establishing and maintaining a connection and a lack of error correction,this technique can fly under the radar because these protocols arent closely

93、 monitored.Technique Insights from Endpoint TelemetryLooking at our FortiEDR data gives us another perspective regarding attacks and the initial access techniques that cybercriminals use.In the majority of cases,organizations using EDR capabilities also use some form of sandboxing,so its safe to say

94、 that the threats that are stopped by an EDR tool are most likely those that would have managed to bypass“traditional”sandboxing technology(an excellent example of the need for defense-in-depth).Understanding how these threats operate can give defenders more focused intelligence for their threat hun

95、ting activities.Figure 7:Top ATT&CK techniques detected by FortiEDR by monthProcess Injection(Defense Evasion)Input Capture(Credential Access)OS Credential Dumping(Credential Access)Exploit Public-FacingApplication(InitialAccess)Exploitation forDefense Evasion(Defense Evasion)Process Injection(Defen

96、se Evasion)Input Capture(Credential Access)OS Credential Dumping(Credential Access)System Binary ProxyExecution(DefenseEvasion)Exploit Public-FacingApplication(InitialAccess)Process Injection(Defense Evasion)Input Capture(Credential Access)OS Credential Dumping(Credential Access)System Binary ProxyE

97、xecution(DefenseEvasion)Exploit Public-FacingApplication(InitialAccess)Process Injection(Defense Evasion)Exploit Public-FacingApplication(InitialAccess)Exploitation forDefense Evasion(Defense Evasion)Input Capture(Credential Access)OS Credential Dumping(Credential Access)Process Injection(Defense Ev

98、asion)Exploit Public-FacingApplication(InitialAccess)Exploitation forDefense Evasion(Defense Evasion)Input Capture(Credential Access)OS Credential Dumping(Credential Access)JanFebMarAprMayJanFebMarAprMay111H 2023 Global Threat Landscape ReportREPORTAbove are the five most active techniques per month

99、.Some of the same techniques seen and stopped by sandboxing technology get used in other events once execution is achieved inside a machine in an organization.The most active techniques we observed during 1H 2023 include:nProcess InjectionnInput CapturenOS Credential DumpingnExploit Public-Facing Ap

100、plicationnExploit For Defense EvasionProcess Injection is the leader across all months.23 With a dozen possible process injection types that have already been categorized,this technique is undoubtedly used and abused by attackers for both defense evasion and privilege escalation.The second and third

101、 most-used techniques across all months is Credential Access:Input Capture.Using these techniques,potential threat actors try intercepting user input to acquire credentials or amass data by looking for credentials in memory.During regular system interaction,users typically share their credentials ac

102、ross various endpoints,such as authentication portals or system prompt windows.The mechanisms deployed for capturing this input can often be indistinguishable to the user,such as through Credential API Hooking.To finish,we have Exploitation for both Defense Evasion and Initial Access as the final mo

103、st-used techniques,with almost the same number of triggers in the wild.Adversaries are keen to exploit vulnerabilities in software to gain a vantage point in the system so they can further carry out their nefarious actions.With the number of CVEs exploding over the last couple of years(we are on tra

104、ck to hit 30,000 CVEs this year,a 50%increase over the 20,000 CVEs reported in 2021),its not like there is a shortage of vulnerabilities for attackers to add to their respective toolboxes.Coupled with the advent of AI LLMs(Large Language Models used to rapidly process large datasets to quickly pinpo

105、int incoming threats and existing vulnerabilities),crafting an exploit for that low-hanging fruit is easier than ever,so we expect that these will continue to be the weapon of choice for cyberattackers.Protecting Your Enterprise from Evolving Threats Cybercriminals will never miss an opportunity to

106、make a profit,and the rise of organized cybercrime like RaaS groups in recent years has made a quick payday even easier to achieve.Bad actors will constantly find new vulnerabilities to exploit and more-sophisticated attack techniques to infiltrate networks.However,the good news is that most of the

107、tactics used by threat actors over the past few months are familiar to us,which means defenders have more opportunities than ever to thwart attacks before they happen.As attackers continue to evolve their own operations,though,its crucial to assess and enhance the cyber-defense strategies within you

108、r organization to stay ahead of potential threats.From using and sharing threat intelligence to implementing the right technologies,here are several steps you can take today to safeguard your enterprises networks and data.Share and utilize threat intelligenceTo combat the ever-increasing sophisticat

109、ion and volume of cyberthreats,the practice of sharing and utilizing threat intelligence has emerged as a vital component of any organizational defense strategy.Fortinet is committed to doing its part to enable advancements in threat intelligence sharing.Fortinet is a founding member of the Cyber Th

110、reat Alliance(CTA),an organization created in 2014 to enable threat intelligence sharing among competing cybersecurity vendors.24 Fast-forward to today,and this organization has become vital to combating cybercrime effectively on a global scale.However,establishing trust and confidentiality,ensuring

111、 data standardization,and managing a high volume of information are just some obstacles that complicate effective intelligence sharing.The CTA has successfully tackled these challenges,uniting elite Cyber Threat Intelligence(CTI)teams worldwide and significantly enhancing the global perspective on c

112、yberthreats.121H 2023 Global Threat Landscape ReportREPORTUnderstand attack flows to identify patterns and indicators of compromiseCyberattacks are becoming more sophisticated,frequent,and damaging,making it crucial for businesses to enhance their knowledge of their adversaries.Understanding the att

113、ack flow,from initial entry points to post-exploitation activities,is essential for developing effective cybersecurity strategies.Attack flow refers to the sequence of steps an adversary takes to infiltrate a target system and achieve their objectives.It encompasses various stages,including reconnai

114、ssance,initial access,privilege escalation,lateral movement,data exfiltration,and persistence.Organizations can better identify vulnerabilities,implement appropriate security measures,and respond effectively to cyberthreats by understanding each stage.Understanding the attack flow is crucial for sev

115、eral reasons.First,it allows organizations to visually understand the steps of an attack and their relationships and outcomes.By studying adversaries tactics,techniques,and procedures(TTPs)at each stage,security teams can identify patterns and indicators of compromise(IOCs),enabling them to identify

116、 an attack in progress and take timely action.Comprehending the attack flow also helps organizations allocate resources more effectively.By focusing on the most vulnerable stages of an attack,such as initial access or privilege escalation,businesses can prioritize security measures and investments t

117、o maximize their cybersecurity posture.Lastly,understanding an attack flow enables organizations to enhance their incident response capabilities.By mapping out an attacks various stages and potential activities,security teams can develop playbooks and response plans tailored to each stage,ensuring a

118、 swift and effective response during a cyberattack.The advantages of fully understanding attack flows are why Fortinet has participated as a research sponsor in both MITRE Engenuitys Center for Threat-Informed Defense(CTID)ATTACK Flow projects.25 We believe that such advances in threat intelligence,

119、in which we can identify and respond to threats based on their profile,will shift the economics of an attack to tip the scale in favor of the defenders.Figure 8:MITRE ATT&CK Flow Builder-Example Flow131H 2023 Global Threat Landscape ReportREPORTWere also starting to incorporate standards in our repo

120、rts,such as the Wintapix driver work published by two of our researchers.26Shore up your technologies and processesTheres no time like now to implement new security technologies or reassess your current stack.Regardless of your chosen tools,you must ensure they can leverage AI,ML,deep learning(DL),a

121、nd advanced analytics.These capabilities have become essential for processing the enormous volume of data organizations generate to identify risky or anomalous traffic that could indicate a threat or other risk.Examining and adjusting your current processes is a must if you want to stay ahead of you

122、r adversaries.This includes redefining roles and responsibilities on your security team,building or updating playbooks,and conducting tabletop exercises to pressure-test your teams capabilities or identify process gaps that must be addressed.Many organizations today are also turning to trusted vendo

123、rs to act as an extension of their own security personnel.Our FortiGuard AI-Powered Security Services span a variety of powerful tools,like next-generation firewalls(NGFWs);network telemetry and analytics;endpoint detection and response(EDR);extended detection and response(XDR);digital risk protecti

124、on(DRP);security information and event management(SIEM);inline sandboxing;deception;security orchestration,automation,and response(SOAR);and more.These solutions provide your organization with advanced threat detection and prevention capabilities that can help you quickly detect and respond to secur

125、ity incidents across the entire attack surface.Conclusion and Final OutlookWe hope you enjoyed reading this report as much as we enjoyed creating it.We understand that cybersecurity can sometimes appear exceedingly complex.However,the field is invariably populated by inspired,enthusiastic individual

126、s who work tirelessly to provide the community with innovative and streamlined approaches to enhance their security posture.The struggle against cybercrime and threats posed by nation-states is a constant challenge,and as an industry,were fully prepared to confront and combat it.The strengthening of

127、 partnerships sharing threat intelligence between the public and private sectors is crucial in fighting this cyber war.Threat intelligence must be immediately actionable through comprehensive playbooks,which can be a challenge without standards when it comes to sharing,tooling,and reporting.Yet shar

128、ed threat intelligence is a key component of how we ensure frictionless,timely,and effective responses.We firmly believe that defenders today possess ample access to tools,knowledge,and support to begin altering the economics of an attack,all of which represent a powerful countermeasure against adve

129、rsaries.141H 2023 Global Threat Landscape ReportREPORT1“MITRE ATT&CK Matrix for Enterprise,”MITRE,20152023.2 Douglas Jose Pereira dos Santos,“2H 2022 Global Threat Landscape Report:Key Insights for CISOs,”Fortinet,March 3,2023.3“2H 2022 Global Threat Landscape Report,”Fortinet,March 3,2023.4 Geri Re

130、vay,“The Year of the Wiper,”Fortinet,January 24,2023.5 Derek Manky,“The Latest Intel on Wipers,”Fortinet,March 23,2023.6 Douglas Jose Pereira dos Santos,“2H 2022 Global Threat Landscape Report:Key Insights for CISOs,”Fortinet,March 3,2023.7“Exploit Prediction Scoring System,”FIRST.org,2015-2023.8 Ja

131、mes Slaughter,Fred Gutierrez,and Shunichi Imano,“MOVEit Transfer Critical Vulnerability(CVE-2023-34362)Exploited as a 0-Day,”Fortinet,June 8,2023.9“Threat Signal Report:MOVEit Transfer Critical Vulnerability(CVE-2023-34362),”FortiGuard Labs,June 2,2023.10“EPSS API,”FIRST.org,20152023.11“Replication

132、Through Removable Media,”MITRE ATT&CK,May 31,2017.12“IPS Threat Encyclopedia:Raspberry.Robin.Worm,”FortiGuard Labs,July 14,2022.13“Increased Truebot Activity Infects U.S.and Canada-Based Networks,”Cybersecurity and Infrastructure Security Agency,July 6,2023.14“Exploitation for Client Execution,”MITR

133、E ATT&CK,April 18,2018.15 Fortinet Follina Blog Posts,accessed July 27,2023.16“Hijack Execution Flow:DLL Side-Loading,”MITRE ATT&CK,March 13,2020.17 FortiGuard Labs,“3CX Desktop App Compromised(CVE-2023-29059),”Fortinet,March 30,2023.18“Obfuscated Files or Information,”MITRE ATT&CK,May 31,2017.19“Ma

134、squerading,”MITRE ATT&CK,May 31,2017.20“Virtualization/Sandbox Evasion,”MITRE ATT&CK,April 17,2019.21“OS Credential Dumping,”MITRE ATT&CK,May 31,2017.22“Input Capture,”MITRE ATT&CK,May 31,2017.23“Process Injection,”MITRE ATT&CK,May 31,2017.24 Derek Manky,“Partnering to Disrupt Cybercrime,”Fortinet,F

135、ebruary 14,2023.25 Douglas Jose Pereira dos Santos,“MITRE Attack Flow Gives CISOs Valuable Context for Better Risk Management,”Fortinet,November 3,2022.26 Geri Revay and Hossein Jazi,“WINTAPIX:A New Kernel Driver Targeting Countries in the Middle East,”Fortinet,May 22,2023.1H 2023 Global Threat Land

136、scape ReportREPORTCopyright 2023 Fortinet,Inc.All rights reserved.Fortinet,FortiGate,FortiCare and FortiGuard,and certain other marks are registered trademarks of Fortinet,Inc.,and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet.All other product or compan

137、y names may be trademarks of their respective owners.Performance and other metrics contained herein were attained in internal lab tests under ideal conditions,and actual performance and other results may vary.Network variables,different network environments and other conditions may affect performanc

138、e results.Nothing herein represents any binding commitment by Fortinet,and Fortinet disclaims all warranties,whether express or implied,except to the extent Fortinet enters a binding written contract,signed by Fortinets General Counsel,with a purchaser that expressly warrants that the identified pro

139、duct will perform according to certain expressly-identified performance metrics and,in such event,only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet.For absolute clarity,any such warranty will be limited to performance in the same

140、 ideal conditions as in Fortinets internal lab tests.Fortinet disclaims in full any covenants,representations,and guarantees pursuant hereto,whether express or implied.Fortinet reserves the right to change,modify,transfer,or otherwise revise this publication without notice,and the most current version of the publication shall be August 7,2023 11:15 AM2278529-0-0-EN